CVE-2026-3663 is an out-of-bounds read vulnerability identified in the xlnt-community xlnt library, versions up to 1.6.1. The flaw exists in the function xlnt::detail::compound_document_istreambuf::xsgetn within the source/detail/cryptography/compound_document.cpp file, which is part of the XLSX file parser component. This function improperly handles input data, allowing an attacker with local access and low privileges to manipulate the input and cause the program to read memory beyond the intended buffer boundaries. Such out-of-bounds reads can lead to information disclosure, as sensitive memory contents may be exposed, or cause application crashes due to invalid memory access. The vulnerability does not require user interaction and does not escalate privileges or allow remote exploitation, limiting its attack surface. The patch addressing this issue is identified as patch 147 and is recommended to be applied to affected versions 1.6.0 and 1.6.1. No public exploits have been observed in the wild, but the exploit code has been made public, increasing the urgency for remediation. The CVSS 4.0 base score is 4.8, reflecting a medium severity level due to local attack vector and limited impact scope.

The primary impact of CVE-2026-3663 is potential information disclosure and application instability for systems using the vulnerable xlnt library versions. Attackers with local access could exploit this vulnerability to read sensitive memory contents, which might include confidential data or cryptographic material, depending on the application context. This could lead to leakage of sensitive information, undermining confidentiality. Additionally, the out-of-bounds read could cause application crashes or denial of service, affecting availability. However, since exploitation requires local access and low privileges, the risk is mitigated in environments with strict access controls. Organizations relying on xlnt for XLSX file parsing in desktop applications, embedded systems, or server-side processing could face operational disruptions or data exposure if unpatched. The lack of remote exploitability and no requirement for user interaction reduce the likelihood of widespread automated attacks but do not eliminate risk in multi-user or shared environments.

To mitigate CVE-2026-3663, organizations should immediately apply the official patch (patch 147) provided by the xlnt-community to upgrade affected versions 1.6.0 and 1.6.1 to a fixed release. In environments where patching is delayed, restrict local access to systems running vulnerable xlnt versions by enforcing strict user permissions and access controls. Employ application whitelisting and monitoring to detect unusual file parsing activities that might indicate exploitation attempts. Conduct code audits and fuzz testing on custom integrations using xlnt to identify any additional parsing weaknesses. Educate users about the risks of opening untrusted XLSX files locally, especially in multi-user systems. Maintain up-to-date backups and incident response plans to quickly recover from potential crashes or data leaks. Finally, monitor threat intelligence sources for any emerging exploit activity related to this vulnerability.